Safe podcatchingA few days back, I inadvertently posted an executable in the link to a post title. IN some sense, I think it was actually a good thing. Since the .exe was the first file in my post, the SmartCast service I use from Feedburner embedded the path information in an enclosure tag in my RSS feed. The intent of SmartCast is to embed audio files for podcasting in the feed, so that podcatching applications can download the file.
Though my action was unintentional, I received some e-mail indicating that an installation package kicked off as the result of my mistake. In fact, it happened to me, as I indicated and apologized one I recognized the issue. This really got me thinking about safe podcatching; to read my potential concerns and the proactive approach of one developer, click the "Read More" link.
As I indicated, this entire situation was a mistake. I posted the direct link to a Microsoft Power Toy that creates a custom font based on handwriting. I meant to post a link to the page that provided the .exe. So what's the concern?
Well, we can't change the RSS specification; we have to abide by what it says. What it basically says is: any type of file type can be embedded in the enclosure tag. For podcasting, we use that for .mp3 files, .wma's, torrents, etc.... We can also use the enclosure tag to provide the link for a video file, such as a .mov, for example.
Here's the kicker: what prevents the RSS feed from providing a malicious executable, a VB script or some other virus mechanism? The only thing that can prevent it is the client software as far as I can tell. I'm not suggesting there is anything wrong with the RSS spec and I fully intend to mail this post to Dave Winer for his thoughts. However, we need to be aware of any potential "gap" here so that we don't begin to see virus proliferation through a new back door.
As a Doppler user, I immediately contacted Erwin van Hunen who develops and supports Doppler. I will disclose up front that I do not feel that this issue is the result of bad software and I continue to recommend Doppler and other podcatchers on a daily basis. Erwin has done some testing and hasn't seen the same potential for malicious software spreading just yet, but I have to commend him for two reasons:
1. He took the time to listen and look into the issue.
2. He has indicated that he will do further research and potentially close off any security holes as the result of the way the specification can be used.
My intent isn't to scare anyone off from any podcatching software, nor is it to create a scene over a non-issue. If we find that my fears are unfounded, I will be the first to say I'm sorry. I'd rather err on the side of caution, however, so I bring this up for the community to review and comment.